How to hunt for trojaned XZ RCE activity.

[ArjenR]

So I have a home lab in which one server had the trojanized xz(-libs) which apparently hooked into sshd. I mainly access that machine using ssh so the code must have been triggered and whatever exploit (might be an RCE) is present in the libs probably was executed.

More info here:
https://hn.algolia.com/?dateEnd=1712275200&dateRange=custom&dateStart=1711533600&page=0&prefix=false&query=XZ&sort=byPopularity&type=story

I am not the screamish type so before I nuke and pave that server I would like to take up the opportunity to learn about Security Onion. I happen to have Security Onion 2.4.60 in promiscuus mode looking in that network segment and an elasti-agent is also running on the server.

How would one look for sshd actions / spawned process if this is just the default install of elasti-agent. (So I did not install/configure sysmon myself.)

Obviously the xz has been replaced by an earlier version without the trojan. But if necessary I can go back to that version in a lab setting and see what happens with sysmon but 1st I would like to see what is possible after the fact.

And since I am new to these parts of cybersec/security onion, I am asking after searching with the keywords I thought would make sense. But if there is some clear documentation on it, a simple pointer on how to find it is also appreciated.

Rgrds and happy easter.

[InfosecGoon]

If you had Elastic Agent installed on the box, it might be helpful to check out the Host Process Activity dashboard and see if any other processes were spawned from an sshd parent process.